Web page access

In article <uAb9f.3665$zT6.1312@trnddc06>,
"Victor & Toni Jo Friedmann" <ge***@verizon.net> wrote:

I have a home page with Verizon. Within this home page I have several
sub-directories with their own associated pages. One of these subdirectories
has personal contact information and I wish to restrict access to these
pages to everyone except a few individuals. Is there a way to add a password
to a subdirectory so that anyone trying to access these pages will have to
input the correct password in order to view them?

Thanks.

That depends on the web server Verizon is using and the configuration
they're running. I know with Comcast, when I ask such questions, I was
told to go to a web hosting company. Comcast doesn't support such
things nor can I run CGI scripts or php or mysql.

Ask Verizon support if they have .htpass files enabled or you could just
create one and see if it has any affect, but it requires knowledge of
the Apache web server. Don't be surprised if it doesn't work or you
told you're out of luck.

--
DeeDee, don't press that button! DeeDee! NO! Dee...

__/ [Michael Vilain] on Monday 31 October 2005 00:34 \__

In article <uAb9f.3665$zT6.1312@trnddc06>,
"Victor & Toni Jo Friedmann" <ge***@verizon.net> wrote:

I have a home page with Verizon. Within this home page I have several
sub-directories with their own associated pages. One of these
subdirectories has personal contact information and I wish to restrict
access to these pages to everyone except a few individuals. Is there a way
to add a password to a subdirectory so that anyone trying to access these
pages will have to input the correct password in order to view them?

Thanks.

That depends on the web server Verizon is using and the configuration
they're running. I know with Comcast, when I ask such questions, I was
told to go to a web hosting company. Comcast doesn't support such
things nor can I run CGI scripts or php or mysql.

Ask Verizon support if they have .htpass files enabled or you could just
create one and see if it has any affect, but it requires knowledge of
the Apache web server. Don't be surprised if it doesn't work or you
told you're out of luck.

By wishing to password-restrict content, you begin to ask for a fully-fea-
tured hosting service that comes with the risk of collpase (=support=cost)
and abuse.

Some time ago, before I had access that was beyond FTP (i.e. file manage-
ment), I used the following trick.

http://schestowitz.com/res.htm

Press "research workspace" (now crossed out). A window will pop up, re-
quiring you to enter a password, which is in fact the missing segment of
the Web address. This will not avoid spyware like Alexa/A9/Amazon toolbars
(among more) from crawling your password-protected pages, but it will at
least turn away human users who ought to remain outside. To understand how
this works (essentially JavaScript), look at the source, change it and
save it. It's known as JavaScript Gatekeeper if I recall correctly.

Hope it helps,

Roy

Roy Schestowitz wrote:

This will not avoid spyware like Alexa/A9/Amazon toolbars (among
more) from crawling your password-protected pages, but it will at
least turn away human users who ought to remain outside. To
understand how this works (essentially JavaScript), look at the
source, change it and save it.

Anyone with a clue can turn off JavaScript support in their browser.
Security should not depend on clueless attackers.

__/ [Leif K-Brooks] on Tuesday 01 November 2005 01:16 \__

Roy Schestowitz wrote:

This will not avoid spyware like Alexa/A9/Amazon toolbars (among
more) from crawling your password-protected pages, but it will at
least turn away human users who ought to remain outside. To
understand how this works (essentially JavaScript), look at the
source, change it and save it.

Anyone with a clue can turn off JavaScript support in their browser.
Security should not depend on clueless attackers.

No JavaScript, no entry. *smile*

....still better than ActiveX

ActiveX enabled, anybody in (including hijackers)

Roy

In our last episode, Leif K-Brooks <eu*****@ecritters.biz> pronounced to
comp.infosystems.www.authoring.html:

Roy Schestowitz wrote:

To
understand how this works (essentially JavaScript), look at the
source, change it and save it.

Anyone with a clue can turn off JavaScript support in their browser.

Or look at the source and deduce the address themselves.

--
Mark Parnell
http://clarkecomputers.com.au

Roy Schestowitz wrote:

Press "research workspace" (now crossed out). A window will pop up, re-
quiring you to enter a password, which is in fact the missing segment of
the Web address.

Wow. What a complicated and nasty (it ran afoul of my popup blocker) way of
implementing "The content is at URL X, I haven't got any links to it, so
add it to your bookmarks."

--
David Dorward <http://blog.dorward.me.uk/> <http://dorward.me.uk/>
Home is where the ~/.bashrc is

In comp.infosystems.www.authoring.html on Tuesday 01 November 2005 05:56,
Roy Schestowitz wrote:

__/ [Leif K-Brooks] on Tuesday 01 November 2005 01:16 \__

Roy Schestowitz wrote:

This will not avoid spyware like Alexa/A9/Amazon toolbars (among
more) from crawling your password-protected pages, but it will at
least turn away human users who ought to remain outside. To
understand how this works (essentially JavaScript), look at the
source, change it and save it.

Anyone with a clue can turn off JavaScript support in their browser.
Security should not depend on clueless attackers.

No JavaScript, no entry. *smile*

...still better than ActiveX

ActiveX enabled, anybody in (including hijackers)

Roy

There is a flaw with this method, which is that if someone is visiting your
"private" page and then goes to a completely different website, the private
URL will be passed as the referrer to that website. Many websites' referrer
logs are publicly available (this may or may not be with the
intention/knowledge of the webmaster) and therefore, potentially, the links
could be accessed by search engines, so your private content could appear
in a search engine's results.

A partial solution, which I recommend you use, is to put the following in
the head section of each private page.

<meta name="ROBOTS" content="NOINDEX,NOFOLLOW,NOARCHIVE">

This only works with some search engines (but the major ones should all act
on it).

The preferred method of controlling search engine spiders is to use a
robots.txt file but this will have two drawbacks:

1. You might not have access to the root directory of the domain or
subdomain, which is where the robots.txt needs to go.
2. In any event, some people look at a site's robots.txt to "discover"
directories the site owner would rather weren't known about, hence it is
definitely *not* recommended for your situation.

__/ [Andrew] on Friday 04 November 2005 16:49 \__

In comp.infosystems.www.authoring.html on Tuesday 01 November 2005 05:56,
Roy Schestowitz wrote:

__/ [Leif K-Brooks] on Tuesday 01 November 2005 01:16 \__

Roy Schestowitz wrote:
This will not avoid spyware like Alexa/A9/Amazon toolbars (among
more) from crawling your password-protected pages, but it will at
least turn away human users who ought to remain outside. To
understand how this works (essentially JavaScript), look at the
source, change it and save it.

Anyone with a clue can turn off JavaScript support in their browser.
Security should not depend on clueless attackers.
No JavaScript, no entry. *smile*

...still better than ActiveX

ActiveX enabled, anybody in (including hijackers)

Roy

There is a flaw with this method, which is that if someone is visiting your
"private" page and then goes to a completely different website, the private
URL will be passed as the referrer to that website. Many websites' referrer
logs are publicly available (this may or may not be with the
intention/knowledge of the webmaster) and therefore, potentially, the links
could be accessed by search engines, so your private content could appear
in a search engine's results.

I never thought about this route. Thanks for pointing that out.

A partial solution, which I recommend you use, is to put the following in
the head section of each private page.

<meta name="ROBOTS" content="NOINDEX,NOFOLLOW,NOARCHIVE">

If the page contains sensitive content, I suppose 'shielding' it would indeed
be worthwhile. I would only like to stress that the information which I
'hide' is not confidential, yet it should never be easily-accessible.
Private material like Palm data has always been password-protected.

This only works with some search engines (but the major ones should all act
on it).

The preferred method of controlling search engine spiders is to use a
robots.txt file but this will have two drawbacks:

1. You might not have access to the root directory of the domain or
subdomain, which is where the robots.txt needs to go.
2. In any event, some people look at a site's robots.txt to "discover"
directories the site owner would rather weren't known about, hence it is
definitely *not* recommended for your situation.

Yes, I once thought about it. Pages and sections where I deny crawlers access
at robots.txt-level are either:

- Sections that contains names, which I would rather people did not 'Google'
(or 'Yahooed' etc.)

- Sections that are too extensive to be crawled as they will add 'noise' to
indices of the search engines.

Roy

--
Roy S. Schestowitz | Useless fact: A dragonfly only lives for one day
http://Schestowitz.com | SuSE Linux | PGP-Key: 0x74572E8E
5:15am up 2 days 1:13, 4 users, load average: 0.25, 0.46, 0.42
http://iuron.com - next generation of search paradigms

__/ [David Dorward] on Tuesday 01 November 2005 08:28 \__

Roy Schestowitz wrote:

Press "research workspace" (now crossed out). A window will pop up, re-
quiring you to enter a password, which is in fact the missing segment of
the Web address.

Wow. What a complicated and nasty (it ran afoul of my popup blocker) way of
implementing "The content is at URL X, I haven't got any links to it, so
add it to your bookmarks."

It's quite old and I was not very good at Web development at the time. By the
way, my pop-up blocker denies it as well. That page is a mess altogether and
I am fully aware of it. *smile*

Roy